For those who may not be familiar with it, PHRACK magazine is one of those underground on-line information sources that bears reading by anyone interested in getting a "second opinion" about controversial issues in the computer world. After reading the last issue, PHRACK40, I was for the very first time in doubt as to the validity of this publication. It can be assumed from the subject matter and from the way it's treated that many of the authors need to publish under various false names, but it can NOT be assumed that publishing under an alias gives one license to concoct missing facts when needed or to speculate and then supply evidence as needed like a kangeroo court. PHRACK40 contained a very interesting article by someone signing him/her self as "Dispater" concerning the business of anti-viral software and research. The article was quite informative, gave pre-supposed "conclusions" and of course, evidence to fit, AND a lengthy editorial based on the premise that a group of anti-viral software writers are engaged in a plot to bilk the general public of hard earned dollars. Most of the evidence was collected during a recent conference in Washington DC and seemed quite legitimate... Trouble was, I was familiar with some of the incidents reported in the article and what I knew didn't match up with the descriptions given. Since one of the people maligned happened to be accessible in the area, I decided to leave some e-mail and see what she had to say. The person in question was Sara Gordon at VFR systems. Ms Gordon runs a very competent free information service for people who have need of anti-virus information. As far as I know, she's never made any profit from virus work and puts in long hours trying to help keep cyberspace free for the use of all. Since almost the entire article was quoted at one point or another in her reply, I thought enough people would be interested in it to go ahead and post (with her permission of course). If you haven't ever looked at a copy of PHRACK before, I suggest you do so. It's good writing (well, it was up till now), good reading, and as always, very entertaining and thought provoking. Assuming that "Dispater" continues to be a regular contributor, I can hardly wait to see if next issue contains some wonderful story about the return of "Elvis". ------------------------------------------------------------------------ August 8, 1992 Dear Mr. Wiggins; Regarding your recent inquiry concerning the PHRACK40 article: > "Truth Is Out Of Style" Apparently it is certainly out of style for whoever sent this information to the people at phrack. I have talked to a number of the 'contributors' who expressed regret at article. > An Investigative Report Into Computer Security Corruption > > by Dispater I cannot answer your question as to the identity of any of the phrack staff or contributors; while I do know this, it is neither important nor relevant at this point in time. >It seems that these days the anti-virus industry/community has brainwashed the >public into thinking that any use of a modem will put you in contact with an >unfathomable array of dangers. It sounds like something your mom said, when >she didn't want you to stay out after dark doesn't it? Actually, the anti-virus community works very hard to do just the opposite. I am sara gordon. the person referred to in this letter as Sarah Gordon. Sarah is a name that only a few people use. It is odd they would choose to use it, since apparently they don't know me. It is possible they saw my name tag, which was incorrectly spelled, or that they spoke with KL, who was kind enough to show me the fine city of Washington, D.C. I can only assume this little indictment is a form of personal communication in a public forum, for the only people that know this form of my name live outside the u.s.a. and do not participate in PHRACK, with few exceptions, none of whom were at the NCSA conference. >As it turns out the anti-virus community has all the moral fiber of television >evangelists. As they preach on about the horrors of accessing information >(without purchasing one of their products), they are engaging in the activity >that they claim should be made a federal offense, in Congress. That is the Who claims this? I do not claim this. never. I have heard irresponsible 'professionals' and 'experts' state this sort of nonsense, i.e. you can get viruses from modems, you can get viruses only from bbs, etc... perhaps whoever is sending Phrack this 'virus information' is one of them. Judging from past Phrack information about computer viruses, I would think this is very likely. As for making this activity a federal offense, yes, I have heard it stated. I have not personally stated it, for the record. >"distribution of computer viruses. Not only have they been involved in this >type of activity since they industry began, but now there is a self proclaimed >"elite" [smirk] group of so-called professionals within the industry that wish >to keep a monopoly on the virus trade, by ruining the reputation and lives of >independent researchers. So in a way, we now have a "virus cartel" within the >computer security industry. I have never seen the life or reputation of a researcher ruined, nor watched any such process, actually. Of course, if you call those who want to destroy net connectivity thru their own lack of responsibility, "researchers", then perhaps it is a good idea. Maybe I should make a point to do it. Of course, I won't libel them to do it. That can get expensive. I think, from later references, they refer to sysops of Virus Exchange Bulletin Boards. These are not run by researchers. > The Little Black Book of Computer Viruses > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >The Little Black Book of Computer Viruses is a printed text that has been >around for a few years, but is finally making waves with people who think >Prodigy and CompuServe are the best networks ever invented. Anyway, this book >contains printed out versions of viruses. Gee, viruses are SO difficult for >people to get their hands on aren't they? Well, one of the information >dinosaurs got his name in print for condemning such immorality. > > "Professional virus fighters such as Alan Solomon at S&S > International are madder than angry hornets over the publication. > They are encouraging anti-black book campaigns that include > PICKETING THE AUTHOR'S HOUSE, boycotting shops that sell the book, > petitioning Congress, and even bringing in lawyers." > -- ComputerWorld, June 29, 1992, page 4 (emphasis added) > >Well isn't it interesting to note that while Mr. Solomon is encouraging >personal and economic harassment of Mr. Ludwig, his close friend and business >associate, Sarah Gordon is doing the dirty work for him. It's Dr. Solomon, not Mr. Solomon. but that's not important. I like alan Solomon, but I am not his 'close' friend. I am a 'close' friend of more virus writers than I am anti-virus professionals, primarily because it is with them I have spent the most time. what I do for Alan Solomon, or any anti-virus researcher, is not 'dirty' work. As for being his 'business associate', this is completely untrue. Alan and I have no arrangement which involves the exchange of any money. I did not steal the book, harass the author or picket his house, or advocate any such thing. In fact, i think Mr. Ludwig (the author) is kind of cute, but that is also beside the point. > The Con > ~~~~~~~ >The National Computer Security Association's 1st Annual Conference on Viruses >took place in Washington, D.C. this past June. Alan Solomon and Sarah Gordon >were there in full force. Gordon has often been referred to as being Solomon's >sidekick and nowhere did she live up to this distinctive title more than at >this conference. I have never heard myself referred to as Solomon's little sidekick. I have heard a lot of other titles. This one is pretty kind. Its funny, though, how when you see a woman its assumed she is the man's sidekick. Maybe alan was there to assist me? In any case, I acted as Alan's personal assistant in this presentation portion of the conference. This is the accurate representation of the situation. >At the conference, Gordon purchased not one, but two copies of Ludwig's book >and then immediately ran to the conference organizer to make a dramatic scene >over how immoral it was for Mr. Ludwig to be selling such a thing. As it turns >out this is not the first time Sarah Gordon has engaged in such hypocritical >behavior. Nop. The conference organizer was Robert Bales. I talked to him since i was also working there for him, but i did not mention these books to him. In fact, I was walking around with KL and wanted to make some bit of a stir. He knew what i was doing, and encouraged it. Seemed to enjoy the scene, even. yes, I did this intentionally; but I would have purchased the books anyway, for I told a friend of mine I would get one for him, and I wanted one for myself. I see nothing hypocritical about it. I purchased two because I needed two. I suppose I could have gotten comp copies, but I'm not that sort. I told KL i was going to show them to Alan when we -saw- Alan. We did not go looking for him. In fact, I said 'watch, I'm going to show these to Alan, and watch him go off!'. I did it because I like Alan. I did it MORE IMPORTANTLY because the man selling the books had agreed to NOT sell them. Its not that he sold than that bothered me. It's his right. I don't care if he sells them. It's that he said he would NOT and then did it anyway. THIS is the reason i told Alan. The reason I bought the books was because I wanted them. So what? Is that a con? Then KL is in on the con, for he did also buy one. Throw us in the jail together. Do you see the distinction here? It was not the selling of the information that is the problem; it is the lie that is the problem. How much simpler would have been to just say 'No, I will exercise my right to sell this book'. >Another interesting thing to note at the conference is the fact that one >evening, Knight Lightning and a couple of others noticed some people sitting >around a room and walked in out of curiosity to what was going on. As it >turned out what was going on was a "midnight meeting" of sorts. KL and friends >were asked to leave because "it was not appropriate that be here." Why >wasn't it appropriate? It's because what these people were doing was >discussing the ways they were going to "take down bulletin boards" and damage >people's career's who distribute viruses. This is inaccurate. This was not the purpose of the meeting. This was in fact not even discussed at the meeting. I was asked about the state of vx systems, and I did give my response which is based on my study of such systems. I did say that I do not favor making such an effort to close them down, for they are just not a danger. KL and friends were asked to leave not because of who they ARE but because of who they are not. The meeting was a group of product developers . KL is not a product developers, nor does he work with anyone developing anti-virus products. Kim Clancy works for the Treasury Department. They simply had nothing to offer in this situation, and so were asked to leave. Kl and Kim were invited to the meeting by someone who did think it was going to concern the underground; and in that case, it would have been great to have them there. but as it turns out, the meeting was not for that, so they were asked to leave. They werent just sitting around and wandered in. This is just not accurate. The focus of the discussion was hardly virus bulletin boards. It had nothing to do with who they were. It had to do with who they were not. I did specifically tell KL this very thing when Phrack alluded to this the last edition; He told me he didn't feel it was so important, so let it go. I see it has indeed been 'let go'. By his own admission, Craig Neidorf does not know much about computer viruses. Why would he think he should be just allowed to take part in such a meeting? It simply did not concern him. There was no 'conspiracy' or any such thing. He and Ms. Clancy simply did not belong there. It would be the same as my expecting to sit in on a staffing at the Treasury Department. I would not be allowed in; not because of who I -am- but because of who I am -NOT-. >Sometime after this conference, I learned about their plan to use "the media to >ruin these sysops. For example, to use influence with the media to call >attention to this type of activity." These people even went so far as to >compile a list of BBSes that they wish to "take down." This is not true. 'These people' did compile NO such list at any meeting I attended. I have heard of such a plan, actually a 'theory' of how to do this, as its been done in other places; but, as for a plan..this is just not the case. > The Hit List ~~~~~~~~~~~~ >It is unclear as to whom is directly responsible for the organization of this >group or who is responsible for creating and distributing the list, however >there were representatives from CERT, ISPNews, and several other well known >individuals who are self-proclaimed security experts as well as a slew of >nobodies who wish to make a name for themselves. No one in that group presented a list, or named any systems, period. until NOW, I have had a good and trusting relationship with rob page. with a few ill chosen and inaccurate words, Pharck has managed to prompt him to contact me , and accuse me of screwing him. This is so sad. Whoever sent Phrack that list has a very incomplete list. I have a list of many more such systems. so what? Everyone has lists. Anyone can get the numbers. No one was there to try to gather information on these systems. If a system does something illegal, the sysadmin or whoever can manage it. If its illegal but not unethical, i personally cant complain about it. In any case, I heard no one from CERT say 'shut them down'. We discussed many things; shutting down virus exchange bbs was not one of them. I think the only time bbs were even mentioned in that room, that I heard, were 1. a brief discussion about the lack of speed of a certain system utilized (or proposed to be utilized) by some of the people there and 2. talk about an Israeli site that was rumoured to be traffiking in viruses. Since the NSF probably looks down on virus-exchange sites on the internet, this is not so hard to imagine. However, even these 'discussions' were probably no more than one or two minutes each. > The Hell Pit BBS > ~~~~~~~~~~~~~~~~ >The Hell Pit is a BBS system in Chicago and operated by a sysop named Kato. >Kato has a legitimate curiosity (as if a curiosity needs to be validated) about >the inner-workings of viruses. I shall let him relate his experience: > > "I have been running The Hell Pit BBS for the past 3 years. It's gone > through many phases in that time, but the most recent has been my affection > for computer viruses. I became interested in viruses about one and a half > years ago and I set up a virus file base on my system. At first I had a > mere 5 or 6 viruses that I had collected from a system in the area. My > collection has grown to about 700 IBM computer viruses." > > "It seems to be their objective to shut down my bulletin board system and > therefore eliminate my virus database. Considering these anti-virus > personnel claim to be interested in aspects of computer security, I find > their tactics highly questionable. There was recently a NCSA anti-virus > conference. I learned from sources that one of the people attending the > conference [Sarah Gordon] had committed certain acts on my BBS. This person > claimed to have called up, uploaded 3 fake viruses, gained access to my > virus database and then downloaded several viruses. This is their proof > that I do not adequately control virus access on my system. The anti-virus > personnel do not allow me to defend myself." Wait. How can he question any tactics about anything? If his system is secure, it is secure. If not, not. In any case, my objective in my interaction with Mr. Page was not to demonstrate the insecure nature of his dealings with the public. I have addressed this personally to rob page. He did contact me , as I mentioned. What Phrack has done here is a terrible disservice to the nets as a whole. Are they so desparate to make a story that they will convolute and make one up? Is the the reason KL took me out to dinner and entertained me? to get half truths to make good reading for PHRACK? I never said ONE time anything about inadequate control of viruses on the hellpit system or any other system. I never said ANY time I would like to shut down the hellpit, or any other virus exchange bbs. what I did say was that irresponsible acts threaten the connectivity of the nets; and that it must stop. Phrack define anti-virus education as 'irresposible' without taking the time to ask someone involved in it what it does really consist of. Do you think they will get more accurate information from someone who does not even use their real name to send then mail? "unnamed sources sent us this"...right. I have been on the side of the freedom of information for a very long time. I have publicly defended it and do still publicly defend it. This article is full of errors and misrepresentation. > "Anti-virus personnel themselves have committed the same mistakes as I did, > probably much more often. There is no set of rules that determines what Right. and wrong. They have committed the same mistake. This is without question. There is however a set of rules that dictates what is a researcher. You cant make yourself be one. I'm not one. You arent one. Rob Page isnt one. There is no crime in not being one, but there are requirements to be one. No one says you must be one to have viruses, at least, I don't say this. > makes someone an anti-virus authority. Certain people that seem to fit the > mold are allowed to exchange viruses with anti-virus personnel. What are > the criteria for these people? Is there any? It has been my experience Exchange viruses with anti-virus personnel? What does this mean? Who does this? What people? > that if you get involved with the right circles, you are considered an anti- > virus authority. However, there are many places in the anti-virus community > for viruses to leak out. For one thing, you can never be certain who you > are dealing with. Just because someone is smart and claims to hold an anti- > virus attitude is no guarantee that that person isn't an "in the closet" > virus writer. Ah. This old argument. Yes, this is true. There are no guarantees. Just because someone takes you out and acts like they are your friend is no guarantee they are not out to stab you in the back. true. > "At anti-virus conferences such as the NCSA anti-virus conference, guests > were exchanging viruses like they were baseball cards. That isn't what I > would consider controlling access." This is not true. period. I agee. I would not call that controlling access. Since it did not happen, however, it is moot. > "They do help a lot of people with computer troubles. However, to criticize > me for not properly controlling access to my collection of viruses is being > hypocritical." I can only speak for myself. I cannot speak for other people. What I see is the gross negligence of many so called 'responsible people' to help spread viruses and instructions on the malicious disruption of (here comes the c word) 'cyberspace' (ack). Now, i dont go for that. at all. However, my studies have proven that they have little if any effect on the nets as a whole, and for that reason alone, I did stand to defend them, as well as their right to do what they want with no interference from the law, UNTIL it is shown that their activities do directly disrupt the rights of others in a way that certainly negatively impacts them. at that point it becomes obvious it is time to take a second look at this issue of 'freedom of information'--perhaps not to limit the control but to question what it is exactly we do believe in. If it comes to be that I am in error, and that these systems do in fact provide a great disruption to nets, then yes, they should be shut down. Why? Because data is not meant to be destroyed. So, the logical thing to do is for the virus writers to learn responsibility. Why do they write them? Why do they distribute them? And why doesnt Phrack publish the docs from them so people can see that some of these people do not want to keep information free, but instead to destroy it. Phrack is supporting the destruction of information. My bbs has carried Phrack for a long time. It will not stop making it available; however, why read the National Enquirer when you can get Phrack for Phree? Seriously, this is quite disturbing. Your letter raised some interesting points, and I hope I have responded to your satisfaction. > "If anyone would like to call my system to check things out, feel free. I > have a lot more to offer than just computer viruses. I have a good number > of text files and some pretty active message bases. The Hell Pit BBS - > (708)459-7267" - Kato Rob Page has always treated me with respect and honesty. So have each of the members of phalcon/skism as well as individual virus writers. I don't walk both sides of the fence. I state quite clearly what I think and why. I am on the side of the information being available to everyone and not being destroyed; and on the side of no one destroying any information because they think its fun and games. It is not fun. It is not games. > Conclusions > ~~~~~~~~~~~ >It seems there is a move afoot in the anti-virus community to rid the world of >bulletin board systems that disseminate viruses openly and freely. The anti- >virus professionals believe that they must "defend the world" from this type of >activity. Even though during a recent conference in Washington, D.C., it was >disclosed that an anti-virus researcher recently uploaded three (3) viruses >onto a virus BBS (Hell Pit). Why was this done? To "expose the fact that the >sysop was not as careful as he claims to be." The person that did this was >then able to download viruses which was against the policy the sysop claimed >was in place (of course this statement is based upon the integrity of the anti- >virus community and their integrity is obviously suspect). no, no NO. There is no such 'move afoot', and there were no viruses uploaded to a virus exchange bbs by any researchers. Do you want the truth? Ask the person who did the report. Ask me. Why ask someone with an axe to grind? Anyone can ask me that likes, any questions. If you have specific questions, mr. wiggins, please do ask them. >So, the anti-virus community set-up this sysop and made an example of him in a >national conference without allowing him the opportunity to defend himself. In >fact, the sysop may still be totally unaware that this event has even occurred, >until now that is. This is inflammatory , and based on innacuracies. Rob Page was not the focus of the study. -I- did the study. Alan commented on it as part of his presentation. He feels the BBS should be shut down. I do not agree with his feelings in total. He respects my right to my opinion. I respect his. In -any- case, it was -me- who did this report, not the anti-virus community. How can Dispater know what it says? Does he have a copy of it? Would he LIKE a copy of it? Did he even ASK for one? >These anti-virus researchers were openly exchanging copies of viruses for >"research purposes only." It seems okay for them to disseminate viruses in the >name of research because of their self-proclaimed importance in the anti-virus >community, but others that threaten their elite (NOT!) status are subject to be >framed and have examples made of them. No one was exchanging viruses openly or otherwise. Look, they are calling me a researcher, and assuming I exchange viruses with these people. I am not. Im an educator. I run a FREE information system. I work for FREE. I dont get ONE PENNY from any anti-virus researcher. I remove viruses for FREE. You call my BBS. Have -you- ever seen me ask for one dime? Have you ever heard of my asking any of our users for money for the information? No. And you will not. Yesterday some virus exchange sysop called me to ask me if its true I am doing some certain thing. Seems he heard this from an anti-virus 'researcher'. must be surveillance cameras in my lab now.... > Do As I Say, Not As I Do > ~~~~~~~~~~~~~~~~~~~~~~~~ >This type of activity raises a very interesting question. Who gives private >sector computer security employees or consultants carte blanche to conduct this >type of activity? Especially when they have the gall to turn around and label >hackers as criminals for doing the exact same thing. The answer is not who, >but what; money and ego. Perhaps the most frightening aspect of this whole >situation is that the true battle being fought here is not over viruses and >bulletin board systems, but instead the free dissemination of information. For >a group of individuals so immersed in this world, there is a profound ignorance >of the concepts of First Amendment rights. You know, I have for three years been writing a paper on this very topic. The double edged sword of situational ethics. This is, however, innacurate to the point of being just sad.....money and ego? If i personally wanted money, i would not be wasting my time disassembling viruses and helping people undo the damage all those who are busy trashing hard drives do. >Phrack Magazine is ready to stand tall and vigorously keep a close watch and >defend against any incursion of these rights. We've been around a long time, >we know where the bodies are buried, our legion of followers and readers have >their eyes and ears open all across the country. Those of you in the security >industry be warned because every time you slip up, we will be there to expose >you. Good. If their eyes and ears are open, then they can see that someone was feeding them a real line here. My position is not important. I am no one. Im not important. What -is- important is that the facts be clearly stated; You cannot fight a war if you kill your comrades instead of your enemies. If you believe information is free, and belongs to everyone, then work on the ethics of the kids who think responsibility means cracking out a new virus each week for the group; a kid whos idea of keeping net connectivity going is to distribute as much destructive information as possible. I can not honestly say that I am totally against regulation of computer viruses as a 'commodity'. I just don't have enough information in to make a judgement, and it's not my judgement to make. What I can say is that while some of the a-v industry would like to see virus exchange systems shut down, other's dont really care. Also, the truth does speak for itself. Does it matter that a virus bbs was shown publicly to not control who gets the viruses--that in fact basically ANYONE can get them? I think the issue has gotten a bit 'cloudy' here: we are talking about destructive programs that replicate and manipulate data without your knowledge and permission. We are talking about programs that can format your hard drive, or make it temporarily unbootable. Not only that, but we are talking about (in some cases) systems that take special care to tell kids how to destroy data. So what if it was shown to be what it is? I did not make it what it is. If Mr. Page wants to run that sort of BBS, he can; however, he is responsible for it, regardless of what he says in his logon screen. I'm talking ethically. We are all responsible for our actions. You asked me how I felt about uploading three viruses to that system. First of all, they were not viruses. They were samples created and tagged to help me see where they might later be inserted. Most of the virus 'programmers' just patch things together, and it would be relatively easy to spot the code in these programms. They did not replicate and had no harmful attributes. I sat right here as they were sent up, and quite honestly I did not really feel that great doing it. However, weighed against the normal 'things' found there , even given the fact that a good portion of them are not viable samples, I do not feel that this was a great disservice. It was my idea to do it, and I did it for the reasons stated. It also did happen to illustrate the lack of controls on the viruses there; I did allow this to be used, I did participate in it willingly, for it is fact; it was, however, not the purpose of the upload from my personal point of view. And, come on! What are they crying about? This place gives away viruses to just about anyone. That is the real point, isn't it? I dont say legislation is the answer. I say we need to consider all of the answers. the people yelling the loudest about 'free information' are the ones who are writing viruses (and not even good ones at that) which do nothing more than trash someone hard drive. doesnt this seem a bit contradictory to you? the people crying about 'they say buy their product' are the ones who make the products necessary. the truth hurts. lies also do hurt. I hope I have answered your questions fully. If you have further questions please feel free to contact me at the BBS. Thank you for your participation, and please, don't believe everything you read in Phrack. Sara Gordon VFR Systems International sara@gator.rn.com *except from article* The term "situational ethics" refers to an ethic based on the idea that an act alone is neither good nor evil: its ethical status depends on its circumstantial setting. An outside criteria set must be defined and applied to the given situation, to determine whether or not the action, in the given situation, was in keeping with the criteria. Social engineering demonstrates the principle of situational ethics. Investigators and other security personnel advocate and use social engineering techniques to identify and build cases against computer users suspected of criminal acts. When used in this way, social engineering techniques are considered ethically acceptable, because the outside goal is the protection of commercial property and privacy. In this case the actions are typically renamed "investigative techniques" or "security procedures". Given that an egocentric ethical framework is prevalent in our society, it is not suprising that virus writers find nothing wrong with utilizing whatever means they need or desire to obtain their goals. After all, they have been shown by the people in authority that anything is correct, if they themselves determine it to be correct. They do not see why it should be acceptable for an investigator or security person to bait a virus writers, or to impersonate a colleague, and yet be unacceptable for them to use the same techniques. Is it any wonder the virus writerss have declared war on society? And we continue this war in the name of "security", because commerce is threatened and because the perogative of the security agencies is being usurped. We escalate the war through our ambivalent media coverage of it. We have developed a society that is dependent on secure electronic information, without developing and promoting the ethical standards required to maintain that security. On the other hand, the sentiments of these groups about 'freedom of information' and 'rights' overlooks that fact the freedom does not include the freedom to hurt other people, or other peoples data. These bulletin boards are the antithesis of the true spirit of computing. If for no other reason, we all should be very concerned over this issue of 'freedom'. The editors of Phrack, in publishing such a recklessly inaccurate article as the one regarding the NCSA Anti-Virus Conference, have only reinforced the negative image of the computer underground. while they certainly have the right to say what they -think- , they should at least get their facts straight. additionally, it is personally disappointing to me that they would use such methods as they did to 'get close' to me, when all they really had to do was ask me; i would have been happy to tell them my views on the issue they were addressing. "These same kids who are yelling so loud about freedom of information are the same ones encouraging people to trash systems and hard drives" isnt this a bit ironic?